Add FIPS Self test kats for digests

[openssl.git] / providers / fips / self_test.c

diff --git a/providers/fips/selftest.c b/providers/fips/self_test.c
similarity index 92%
rename from providers/fips/selftest.c
rename to providers/fips/self_test.c
index 91e4bb07f5cc0cac8efdae13385d35ab1db54a92..e486dd0db0fcb0e94b2ca0f071b991d510273042 100644 (file)
--- a/providers/fips/selftest.c
+++ b/providers/fips/self_test.c
@@ -20,7 +20,7 @@
  */
 #define ALLOW_RUN_ONCE_IN_FIPS
 #include <internal/thread_once.h>
-#include "selftest.h"
+#include "self_test.h"
 
 #define FIPS_STATE_INIT     0
 #define FIPS_STATE_SELFTEST 1
@@ -132,7 +132,8 @@ DEP_FINI_ATTRIBUTE void cleanup(void)
  */
 static int verify_integrity(BIO *bio, OSSL_BIO_read_ex_fn read_ex_cb,
                             unsigned char *expected, size_t expected_len,
-                            OPENSSL_CTX *libctx)
+                            OPENSSL_CTX *libctx, OSSL_ST_EVENT *ev,
+                            const char *event_type)
 {
     int ret = 0, status;
     unsigned char out[MAX_MD_SIZE];
@@ -142,6 +143,8 @@ static int verify_integrity(BIO *bio, OSSL_BIO_read_ex_fn read_ex_cb,
     EVP_MAC_CTX *ctx = NULL;
     OSSL_PARAM params[3], *p = params;
 
+    SELF_TEST_EVENT_onbegin(ev, event_type, OSSL_SELF_TEST_DESC_INTEGRITY_HMAC);
+
     mac = EVP_MAC_fetch(libctx, MAC_NAME, NULL);
     ctx = EVP_MAC_CTX_new(mac);
     if (mac == NULL || ctx == NULL)
@@ -167,11 +170,13 @@ static int verify_integrity(BIO *bio, OSSL_BIO_read_ex_fn read_ex_cb,
     if (!EVP_MAC_final(ctx, out, &out_len, sizeof(out)))
         goto err;
 
+    SELF_TEST_EVENT_oncorrupt_byte(ev, out);
     if (expected_len != out_len
             || memcmp(expected, out, out_len) != 0)
         goto err;
     ret = 1;
 err:
+    SELF_TEST_EVENT_onend(ev, ret);
     EVP_MAC_CTX_free(ctx);
     EVP_MAC_free(mac);
     return ret;
@@ -187,6 +192,7 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS *st, int on_demand_test)
     unsigned char *module_checksum = NULL;
     unsigned char *indicator_checksum = NULL;
     int loclstate;
+    OSSL_ST_EVENT ev;
 
     if (!RUN_ONCE(&fips_self_test_init, do_fips_self_test_init))
         return 0;
@@ -217,6 +223,8 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS *st, int on_demand_test)
             || st->module_checksum_data == NULL)
         goto end;
 
+    SELF_TEST_EVENT_init(&ev, st->event_cb, st->event_cb_arg);
+
     module_checksum = OPENSSL_hexstr2buf(st->module_checksum_data,
                                          &checksum_len);
     if (module_checksum == NULL)
@@ -226,7 +234,8 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS *st, int on_demand_test)
     /* Always check the integrity of the fips module */
     if (bio_module == NULL
             || !verify_integrity(bio_module, st->bio_read_ex_cb,
-                                 module_checksum, checksum_len, st->libctx))
+                                 module_checksum, checksum_len, st->libctx,
+                                 &ev, OSSL_SELF_TEST_TYPE_MODULE_INTEGRITY))
         goto end;
 
     /* This will be NULL during installation - so the self test KATS will run */
@@ -248,7 +257,8 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS *st, int on_demand_test)
         if (bio_indicator == NULL
                 || !verify_integrity(bio_indicator, st->bio_read_ex_cb,
                                      indicator_checksum, checksum_len,
-                                     st->libctx))
+                                     st->libctx, &ev,
+                                     OSSL_SELF_TEST_TYPE_INSTALL_INTEGRITY))
             goto end;
         else
             kats_already_passed = 1;
@@ -256,7 +266,8 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS *st, int on_demand_test)
 
     /* Only runs the KAT's during installation OR on_demand() */
     if (on_demand_test || kats_already_passed == 0) {
-        /*TODO (3.0) Add self test KATS */
+        if (!SELF_TEST_kats(&ev, st->libctx))
+            goto end;
     }
     ok = 1;
 end: